dridex | 80945307d35592bafc62a4521f865dccdee21e442dc15d533675207d6c012614

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15/06/2024, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0386ba950a1b343ae0b01e8c98e0a4c_JaffaCakes118.dll
Size

1.4MB
MD5

b0386ba950a1b343ae0b01e8c98e0a4c
SHA1

5f2cca191a83203b55710072c5cef194bdfc7b83
SHA256

80945307d35592bafc62a4521f865dccdee21e442dc15d533675207d6c012614
SHA512

088224073d06521d9c43ecea1b493d12bb39ffa3f40db879c0b69c462a621db343cf7c03740304e063158b18d41ab747ecd99980c865068abcb8ced2125eda5c
SSDEEP

24576:4uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NP:I9cKrUqZWLAcUH

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1196-5-0x0000000002E00000-0x0000000002E01000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2496	DeviceDisplayObjectProvider.exe
2072	cmstp.exe
2780	dvdupgrd.exe

Loads dropped DLL 7 IoCs

pid	Process
1196	Process not Found
2496	DeviceDisplayObjectProvider.exe
1196	Process not Found
2072	cmstp.exe
1196	Process not Found
2780	dvdupgrd.exe
1196	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tonqjizj = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\FLASHP~1\\sys\\20QnxtS\\cmstp.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceDisplayObjectProvider.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dvdupgrd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1932	rundll32.exe
1932	rundll32.exe
1932	rundll32.exe
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2796	1196	Process not Found	28
PID 1196 wrote to memory of 2796	1196	Process not Found	28
PID 1196 wrote to memory of 2796	1196	Process not Found	28
PID 1196 wrote to memory of 2496	1196	Process not Found	29
PID 1196 wrote to memory of 2496	1196	Process not Found	29
PID 1196 wrote to memory of 2496	1196	Process not Found	29
PID 1196 wrote to memory of 2524	1196	Process not Found	30
PID 1196 wrote to memory of 2524	1196	Process not Found	30
PID 1196 wrote to memory of 2524	1196	Process not Found	30
PID 1196 wrote to memory of 2072	1196	Process not Found	31
PID 1196 wrote to memory of 2072	1196	Process not Found	31
PID 1196 wrote to memory of 2072	1196	Process not Found	31
PID 1196 wrote to memory of 2760	1196	Process not Found	32
PID 1196 wrote to memory of 2760	1196	Process not Found	32
PID 1196 wrote to memory of 2760	1196	Process not Found	32
PID 1196 wrote to memory of 2780	1196	Process not Found	33
PID 1196 wrote to memory of 2780	1196	Process not Found	33
PID 1196 wrote to memory of 2780	1196	Process not Found	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0386ba950a1b343ae0b01e8c98e0a4c_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
1⤵
PID:2796

C:\Users\Admin\AppData\Local\SYAcTUKBo\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\SYAcTUKBo\DeviceDisplayObjectProvider.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2496

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:2524

C:\Users\Admin\AppData\Local\Nb2\cmstp.exe
C:\Users\Admin\AppData\Local\Nb2\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2072

C:\Windows\system32\dvdupgrd.exe
C:\Windows\system32\dvdupgrd.exe
1⤵
PID:2760

C:\Users\Admin\AppData\Local\6F8aweN1\dvdupgrd.exe
C:\Users\Admin\AppData\Local\6F8aweN1\dvdupgrd.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6F8aweN1\VERSION.dll

Filesize
1.4MB

MD5
510ce1d045b3e0a36167aee9e734481d

SHA1
055a563d4849305537c004b1edd806ab2120bcd2

SHA256
cd47ef32260203cceb27693cc17c040c030be0e41e4a63146a4508b60f1f7468

SHA512
c2a7212e97ff57473939a7624038d93b345368eab0b279f71bc173e72ae4788ecfa7843580b8d4243fd2152fc85aa0df945b140d6aac030e3fec4f8400475223

Download Submit
C:\Users\Admin\AppData\Local\6F8aweN1\dvdupgrd.exe

Filesize
25KB

MD5
75a9b4172eac01d9648c6d2133af952f

SHA1
63c7e1af762d2b584e9cc841e8b0100f2a482b81

SHA256
18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

SHA512
5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

Download Submit
C:\Users\Admin\AppData\Local\Nb2\VERSION.dll

Filesize
1.4MB

MD5
d9b849d487efa79bd64b4a3007201c4e

SHA1
c19819086bd6ad6cdcea6c09f67b5810dfbd7e41

SHA256
d75174f0eda30f8e2cbd48da11954ea7a05f4237b1d5879410300f3ad22d829e

SHA512
863e4fe6eb6aeae48ab58dbd04c5d8bfdb59bb0a5108bc1baafba5d6e793535587f9d8a10e595b54bf991ac9157eb734fde996d3ba680b103576aac794c4f54a

Download Submit
C:\Users\Admin\AppData\Local\SYAcTUKBo\XmlLite.dll

Filesize
1.4MB

MD5
0480e15546611d496626a7ec1ca5c434

SHA1
f406715758013feef0e5a711b641b13df6f4f7b3

SHA256
6be3be073e9e5721be067de6d830ea67b48a1b52ac2307b38c268e38841490fe

SHA512
ddcdfe3d9af3d9a31ae4f070e70c8cfd0c3c74a32095d9f0fe59ea8d94fabdee55b352cb64d7f02fd1a08b554f41f293b85fcc8bf2abdcfdf3bf473dcbfd858c

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mewsro.lnk

Filesize
1000B

MD5
dffd958bf2630040e02890afe4fa02cc

SHA1
b96a4edc2457aac84c2ebac7f5c5f0890e779db9

SHA256
88aa805fb5e305cb02e2791805f377318f5b8ac9b91af5c6c9dd533bb312f5bc

SHA512
8d4130ee4c1557aa0c45d8529556904eccd9e957ef4d4775203fd79adf858e6f1b5f9bbb186d01a527f00ad07fbe0c20657a642e177b24fe49a2ba0d71247460

Download Submit
\Users\Admin\AppData\Local\Nb2\cmstp.exe

Filesize
90KB

MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
\Users\Admin\AppData\Local\SYAcTUKBo\DeviceDisplayObjectProvider.exe

Filesize
109KB

MD5
7e2eb3a4ae11190ef4c8a9b9a9123234

SHA1
72e98687a8d28614e2131c300403c2822856e865

SHA256
8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

SHA512
18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

Download Submit
memory/1196-27-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1196-18-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1196-16-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1196-4-0x0000000077A76000-0x0000000077A77000-memory.dmp

Filesize
4KB

Download
memory/1196-19-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1196-32-0x0000000077D10000-0x0000000077D12000-memory.dmp

Filesize
8KB

Download
memory/1196-31-0x0000000077B81000-0x0000000077B82000-memory.dmp

Filesize
4KB

Download
memory/1196-33-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1196-34-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1196-28-0x0000000002AD0000-0x0000000002AD7000-memory.dmp

Filesize
28KB

Download
memory/1196-15-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1196-14-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1196-13-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1196-12-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1196-10-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1196-9-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1196-5-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/1196-17-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1196-11-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1196-68-0x0000000077A76000-0x0000000077A77000-memory.dmp

Filesize
4KB

Download
memory/1196-8-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1196-7-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1932-42-0x000007FEF67C0000-0x000007FEF692E000-memory.dmp

Filesize
1.4MB

Download
memory/1932-0-0x000007FEF67C0000-0x000007FEF692E000-memory.dmp

Filesize
1.4MB

Download
memory/1932-3-0x00000000002B0000-0x00000000002B7000-memory.dmp

Filesize
28KB

Download
memory/2072-69-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2072-70-0x000007FEF67C0000-0x000007FEF692F000-memory.dmp

Filesize
1.4MB

Download
memory/2072-75-0x000007FEF67C0000-0x000007FEF692F000-memory.dmp

Filesize
1.4MB

Download
memory/2496-56-0x000007FEF71D0000-0x000007FEF733F000-memory.dmp

Filesize
1.4MB

Download
memory/2496-53-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2496-50-0x000007FEF71D0000-0x000007FEF733F000-memory.dmp

Filesize
1.4MB

Download
memory/2780-90-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/2780-93-0x000007FEF67C0000-0x000007FEF692F000-memory.dmp

Filesize
1.4MB

Download